CVE-2021-41270

Name of the Vulnerable Software and Affected Versions Symfony versions 4.1.0 through 4.4.34 Symfony versions 5.0.0 through 5.3.11

Description CSV Injection, also known as Formula Injection, occurs when websites embed untrusted input inside CSV files. When a spreadsheet program opens a CSV, any cell starting with = is interpreted by the software as a formula and could be abused by an attacker. In Symfony, the csv escape formulas option in CsvEncoder was added to prefix all cells starting with =, +, - or @ by a tab t. However, OWASP added two more characters to this list: Tab (0x09) and Carriage return (0x0D), making the previous prefix character part of the vulnerable characters. OWASP suggests using the single quote ' for prefixing the value.

Recommendations For Symfony versions 4.1.0 through 4.4.34, update to version 4.4.35 or later. For Symfony versions 5.0.0 through 5.3.11, update to version 5.3.12 or later. As a temporary workaround, consider using the single quote ' to prefix formulas and add the prefix to cells starting by t, r as well as =, +, - and @.